IBM Security Verify

SAML App Integration

Hands-on lab guide

EESI Security Labs

IBM

November 2024
Table of Contents
IBM Security Verify cookbook introduction ............................................................................................. 4
High level architecture ...................................................................................................................................... 4
Components ...................................................................................................................................................... 4
Pre-requisites.................................................................................................................................................... 5

Exercise 1: Obtain a Security Verify trial and perform initial login ........................................................... 6
Sign up for an IBM Security Verify Trial ............................................................................................................ 6
Check your subscription.................................................................................................................................. 11

Exercise 2: Create users and groups in Cloud Registry .......................................................................... 13

Access the users and groups admin page ...................................................................................................... 13
Create users .................................................................................................................................................... 16

Exercise 3: Set up a 3rd Party SaaS provider ......................................................................................... 22

Obtain a Salesforce Developer Edition instance ............................................................................................. 22

Exercise 4: Perform SaaS application integration .................................................................................. 28

Security Verify: Add application definition for Salesforce .............................................................................. 28
Security Verify: Retrieve required information ................................................................................................ 30
Security Verify: Export signing certificate ....................................................................................................... 32
Salesforce: Create SAML single sign-on definition.......................................................................................... 32
Salesforce: Retrieve required information ...................................................................................................... 34
Security Verify: Complete the application definition ....................................................................................... 34
Security Verify: Set entitlements for application access ................................................................................. 35
Salesforce: Enable single sign-on ................................................................................................................... 35
Salesforce: Create a user ................................................................................................................................ 36

Exercise 5 USE CASE: SaaS access from Employee Launchpad ............................................................. 38

Initial login to Security Verify .......................................................................................................................... 38
Click-through to SaaS application .................................................................................................................. 40

Exercise 6: Modify Sign-in Options ........................................................................................................ 42

Exercise 7: Enable seamless SaaS access for deep linking .................................................................... 46

Configure 3rd party SaaS for service-provider initiated SSO ........................................................................... 46

Exercise 8 USE CASE: SaaS access using deep linking .......................................................................... 48

Exercise 9 USE CASE: Control application access with entitlements ..................................................... 49

Modify entitlements ........................................................................................................................................ 49

Page 2 of 67
 Test entitlements ............................................................................................................................................ 53

Exercise 10 USE CASE: Delegating entitlement management................................................................ 57

Specify an application owner ......................................................................................................................... 57
Login as Application Owner ............................................................................................................................ 59
Access administration pages from Launchpad .............................................................................................. 59

Exercise 11: Application bookmarks ..................................................................................................... 62

Add a bookmark ............................................................................................................................................. 62
Test the bookmark .......................................................................................................................................... 66

Page 3 of 67
IBM Security Verify cookbook introduction
This cookbook provides a step-by-step guide to setting up an IBM Security Verify tenant and
exploring its single sign-on (SSO) and multi-factor authentication (MFA) capabilities.

As with any Software-as-a-Service environment, changes to the service might mean that
screenshots and methods described here may differ from the current service. Please make sure
you are using an up-to-date version of this document to avoid issues.

High level architecture

The high-level architecture for the environment described in this document may be summarized as
follows:

Your Mobile Internet

Device

IBM
Verify IBM Security
App Verify Tenant

Your Computer Salesforce

Developer
Edition
Browser

Components
There are several components required to perform the steps in this cookbook.

Browser
A browser is the only required client for this cookbook. Firefox 60.7.2 ESR is used in this
guide, but any up-to-date browser should work. The browser requires internet connectivity
so that it can reach services on the cloud.

IBM Security Verify Tenant

You will use a trial IBM Security Verify tenant to run the exercises. Instructions for
obtaining this tenant are included.

Page 4 of 67
 Salesforce - Developer Edition (as a SaaS target)
To showcase the single sign-on capabilities of Security Verify, it needs to be connected to
at least one SaaS application. This cookbook documents how to sign up for a Salesforce
Developer Edition account for this purpose.

IBM Verify App

To explore the use of Mobile Push authentication as a Second authentication factor, you
will need to have the IBM Verify application installed on a mobile device. iOS and Android
are supported. Instructions on this are included in this document at the relevant point. The
mobile device will need internet connectivity.

Note: As with any Software-as-a-Service environment, changes to the service might mean that
screenshots and methods described in the document differ from the current service.

Pre-requisites
In order to complete this cookbook, you will need:

• An IBMid in order to obtain the Security Verify trial. If you do not have an IBMid, you can
get one at: https://www.ibm.com/account/us-en/signup/register.html

• An e-mail address to receive initial account information and e-mail One-Time Passwords.
You can use a single e-mail address for all requirements in this document.

• A mobile number to receive SMS One-Time Passwords. You can use a single number for
all requirements in this document.

Page 5 of 67
Exercise 1: Obtain a Security Verify trial
and perform initial login
To perform the steps in this cookbook, you need an environment in which to work. You can sign up
for an IBM Security Verify trial and use Salesforce as your SaaS application.

Sign up for an IBM Security Verify Trial

Anyone with an IBMid can sign up for an IBM Security Verify trial from the IBM Marketplace.

1. Open a new browser window and navigate to:

https://www.ibm.com/products/verify-for-workforce-iam

The following page is displayed:

2. Click Try free edition. The trial sign-up process is started to sign in with (or create) an IBMid.

Page 6 of 67
3. You should already have an IBMid, so click Log In.

4. Enter your IBMid and click Continue.

5. Complete the sign-in process. Depending on what kind of IBMid you have (IBM, Partner,
Customer, etc.) the authentication process is different.

Page 7 of 67
 Once you have successfully authenticated, you will be presented with the Security Verify
registration page:

6. Enter the Hostname that you want your Security Verify tenant to use. This can be any string but
it needs to be unique. This hostname will be seen by end users of your Security Verify tenant.
This hostname is also your Tenant ID.

Be careful entering your hostname. There is no confirmation screen after this one and
hitting 'Enter' will submit the form.

7. To create the trial using the hostname you have provided, click Start Trial.

Tenant provisioning is performed immediately. While the tenant is being created, you will see
this message in the browser:

Page 8 of 67
When provisioning is complete, an e-mail with tenant details will be sent to the e-mail address
associated with your IBMid and you will be redirected (and logged into) your new tenant.

Because this is your first login, you will need to accept the IBM Terms and Conditions before
proceeding.

Page 9 of 67
8. To review the agreement, click View IBM's Terms and Conditions. Assuming you are willing to
agree, select the checkbox next to I agree to IBM's Terms and Conditions and click Continue.

9. A Getting Started pop-up is shown. You can safely close this.

The IBM Security Verify administration dashboard is displayed:

You can access a dashboard tour by clicking the "burger" icon in the upper-left corner
and selecting Dashboard Tour.

Page 10 of 67
Check your subscription
Depending on your entitlement with IBM, the subscription you got when you activated your
Security Verify trial may be different. You will now check the subscriptions that are active.

1. Open the menu, using the “burger” icon in the upper-left corner, and select Configuration.

2. Select the Subscription tab on the Configuration page.

The screenshot above shows the subscriptions for a standard trial. This guide will focus on the use
of the Single sign-on and Multi-factor authentication capabilities of IBM Security Verify.

Page 11 of 67
You have successfully created your Security Verify tenant.

Page 12 of 67
Exercise 2: Create users and groups in
Cloud Registry
IBM Security Verify includes a Cloud Registry where Users and Groups can be defined. You will
now create some users. You will also create a group, which you will use later for access control.

In most Security Verify deployments, end users are usually read from an on-premise directory
(using the Security Verify identity bridge for authentication) or asserted from an on-premise
Identity Provider. However, you do not have these set up yet, so you will initially create and use
local users.

Access the users and groups admin page

1. If you are not already there, sign in to your Security Verify tenant admin UI:
https://<yourtenantid>.verify.ibm.com/ui/admin

2. Open the menu using the burger icon in the upper-left corner and select Users and Groups.

Page 13 of 67
Page 14 of 67
The Users & groups page is shown with the Users tab selected. There is one user listed. This is
your admin user.

Page 15 of 67
Create users
Note: You will need an email address which you have access.
You can also use YOPmail which provides Disposable Email addresses.
In context of this lab, we will be creating a user “Suraj Kanth”

1. To add a new user, click Add. An overlay is displayed:

2. Select Cloud Directory from the Identity Source drop-down. This indicates that the new user
will be a standalone user in the local cloud directory for the tenant, rather than being a
federated user associated with an external identity provider.

3. For the User Name, enter [email protected] or any other id that you prefer appended
by a domain.

For Security Verify, the User Name does not have to be an e-mail address and it only
needs to be unique within your own tenant. However, you will be sending this User
Name to other SaaS services and some of these require a globally unique identifier. So,
use an e-mail address format and include your tenant's Security Verify DNS domain to
ensure it is unique.

4. For Given Name, enter Suraj, and for Surname, enter Kanth. Scroll the overlay to fill in more
information.

Page 16 of 67
5. For Email, enter an e-mail address that you have access to.

The user's initial password will be sent to this address so it needs to be a real address that you
can access. It does not matter if you use the same e-mail address for multiple users. If you do
not want to use your own e-mail address, you can use one @yopmail.com, but be aware that
anyone can see e-mails sent there. This e-mail address can also be used for sending One-time
passwords using multi-factor authentication functionality.

6. For the Mobile Phone Number, enter a number where you can receive SMS messages.

This is optional, but it is useful if you want to send SMS One-time passwords using multi-factor
authentication functionality. The phone number should be in the international dialing format,
for example +15551234567 or +447700900987. Special characters (e.g. + etc.) are ignored
so it does not matter if they are included or not.

7. To create the user, click Save.

8. Select the row for Suraj.

Note that the User Details for Suraj are shown on the right-hand side. You can trigger a password
reset (send a new initial password to the configured e-mail address) or delete a user from here,
too.

For each of the users you have just created, you will receive a message containing the initial
password for the user at the e-mail address you provided.

Page 17 of 67
Create a group
You are now going to create a group. This group will be for users in the Sales department.

1. To show the groups in the Cloud Directory, click on the Groups tab.

Notice that there are a set of built-in groups already defined:

admin Users in this group are administrators of your Security Verify tenant
and can access the Admin Console. The initial user that was created
with the tenant is in this group. You can add other users to this group.

application Users in this group are business owners of applications connected to

owners your Security Verify tenant. Initially there are no members of this
group. Members of this group can access an Entitlements tab from the
Launchpad where they manage the entitled users and groups
associated with the applications for which they are listed as the owner.

helpdesk Users in this group have read only access to everything. In addition,
they can modify user information, initiate password reset, and
disable/delete MFA enrollments.

readonly Users in this group have read-only access to everything but cannot
make any changes. This role could be used by an auditor for example.

Page 18 of 67
2. To add a new group, click Add.

3. For the group Name, enter Sales, and add a Description.

If you assert groups from an Identity Provider, the case-sensitive name of this group
must match the group name sent in the SAML message from the Identity Provider.

4. Click Add next to Group Members to add Suraj to this group.

5. Enter Suraj in the search box (1) and wait for the Matching Users list to be populated.

6. To move Suraj to the Selected Users box, select Suraj Kanth (2) and click Select (3).

7. Click Done (4).

Page 19 of 67
The Add Group window now shows Suraj as a member of the group:

8. To create the new Sales group, click Save.

Note: You need to enable the checkbox “Send the end-user an email notification regarding this
change”, if you want end users to be notified via email.

Page 20 of 67
You can now see the group listed in the Cloud Directory:

If you select a group, the details are shown on the right-hand side. There is also the option to
delete the group. If you want to edit a group, an edit icon appears on the right of each row when
you hover over it.

When a user is added to a group, Security Verify sends an e-mail to their registered e-mail
address to let them know. You will receive an e-mail for Suraj to tell him that he has been
added to the Sales group.

Page 21 of 67
Exercise 3: Set up a 3rd Party SaaS
provider
You will use a Salesforce Developer Edition instance as your third-party SaaS application.
Salesforce is an excellent choice because it allows self-registration for a Developer Edition
instance and the Developer Edition instance allows for configuration of federated access with
SAML 2.0.

Obtain a Salesforce Developer Edition instance

1. To obtain a Salesforce Developer Edition instance, go to the following URL:
https://developer.salesforce.com/free-trials

2. Click Sign Up in the toolbar.

3. Enter your details to sign up. You must give a valid e-mail address because a verification link
will be sent here.

Page 22 of 67
4. When the details are complete, click Sign me up.

The following page is displayed:

Page 23 of 67
5. You now need to check your e-mail. You should get an e-mail which looks like this:

6. Click Verify Account.

This opens a browser window and you are taken to Salesforce.com:

Page 24 of 67
7. Enter a new password and click Change Password.

You are now logged in to your Salesforce Developer Edition instance as the administrative user:

You should be able to see a registered domain in Salesforce. Navigate to setup in the upper right
hand corner. Company Settings→ My Domain.

Page 25 of 67
Page 26 of 67
You might be redirected to classic view to check the domain.

Page 27 of 67
Exercise 4: Perform SaaS application
integration
You are now ready to configure Security Verify and Salesforce for integration. Both sides need
information from the other side so the order of configuration is important, and requires a number
of switches between Security Verify and Salesforce consoles.

Here is an overview of the process:

• Start the application definition process in Security Verify and read Security Verify endpoint
information
• Enter Security Verify information into Salesforce and create a SSO definition
• Read endpoint information from Salesforce (this is only available once the SSO definition is
created)
• Enter Salesforce information into Security Verify and save the application definition
• Configure entitlements in Security Verify

It is recommended to use two browser tabs (or windows) for this section. You will use one
to connect to Security Verify and the other to connect to Salesforce.

Security Verify: Add application definition for

Salesforce
1. If not already there, sign in to your Security Verify tenant using your IBMid account and access
the administration view.

2. Open the menu using the burger icon (1) and select Applications (2).

3. Click Add Application (3).

Page 28 of 67
4. Type salesforce into the search box and then select Salesforce from the results. Click OK.

5. Enter your Salesforce Domain Name in the Host Name field. This must match the domain name
you noted down from the Salesforce Domain above.

6. Enable one or more Salesforce links. Each one of these will show as a tile on the Launchpad for
users entitled to this application.

Page 29 of 67
7. Select the Account Lifecycle tab and set both Provision accounts and Deprovision accounts to
Disabled.

Security Verify: Retrieve required information

1. Select the Sign-on tab.

2. Make a note of the Provider ID. This has been pre-filled based on the Domain Name that you
specified on the previous screen. The Entity ID set in Salesforce will need to match this.

If the Entity ID in Salesforce is set to some other value, you will need to set the Provider ID
here to match it.

Page 30 of 67
The instructions in the right-hand panel of the Sign-On tab contain information you need to add to
the Salesforce configuration:

3. Scroll down the instructions and make a note of the Issuer. This value is unique to your
Security Verify tenant and you will need it to configure Salesforce. There is a copy button you
can use to add to the clipboard.

4. Scroll down again and make a note of the Identity Provider Login URL and Identity Provider
Logout URL (be aware that they might have split onto two lines). These values are unique to
your Security Verify tenant and you will need them both to configure Salesforce.

Page 31 of 67
Security Verify: Export signing certificate
By default, Security Verify uses a private key associated with a self-signed certificate, which is
generated when a tenant is created, to sign outgoing messages and tokens. You need to provide
this certificate to Salesforce so that it can validate signatures created by Security Verify.

Salesforce requires the certificate be uploaded as a file. You can download this file from the
instructions panel in the Sign-on tab.

1. Scroll back up the instructions and click the Download the certificate for uploading link.

2. Save the file. You will need this file in the next section.

Salesforce: Create SAML single sign-on definition

1. Leave the Security Verify Application Definition page open and move to another browser tab (or
Window).

2. Navigate to URL: https://login.salesforce.com and authenticate as your administrative user.

3. Expand Identity (1) in the explorer bar and select Single Sign-On Settings (2).

4. Click New (3).

Page 32 of 67
5. Enter a Name to identify the Security Verify connection. This name may be shown to users but
does not need to match anything else.

6. Use the Issuer value you noted from Security Verify instructions. This issuer identifies incoming
SAML messages from your Security Verify tenant.

7. Click Browse by Identity Provider Certificate and select the certificate file that downloaded from
Security Verify. This certificate will be used to validate signatures received from your Security
Verify tenant.

8. Enter the Identity Provider Login URL that you noted from the Security Verify instructions.
This tells Salesforce where to send SAML login requests.

9. Complete the Custom Logout URL using the Identity Provider Logout URL that you noted from
the Security Verify instructions. This tells Salesforce how to trigger a logout at Security Verify.

10. Complete the Entity ID using the Provider ID that you noted from the Security Verify Single
Sign-On screen. The Entity ID in Salesforce can be any URL, but it must match the Provider ID
set in Security Verify. If you take the default, then this will be the URL of your Salesforce
instance.

Notice the values for SAML Identity Type and SAML Identity Location. With these settings,
Salesforce is going to expect to receive a user identifier from Security Verify that matches
a local user's Salesforce username. It is going to look for this identifier in the Subject
statement of the incoming SAML message.

11. Click Save.

Page 33 of 67
Salesforce: Retrieve required information
Once the SAML Single Sign-On settings are saved in Salesforce, dynamic endpoints are allocated.
You can see them at the bottom of the Single Sign-On Settings page.

1. Scroll to the bottom of the page and make a note of the Login URL. You will need this to
configure the Assertion Consumer Service in Security Verify.

Whatever is shown here is what you need to configure in Security Verify.

Security Verify: Complete the application definition

1. Return to the Security Verify console.

2. Enter the Salesforce Login URL that you noted down as the Assertion Consumer Service URL
(HTTP-POST).

3. Click Save.

Page 34 of 67
Security Verify: Set entitlements for application
access
When a new application definition has been saved, the Entitlements tab is shown. This is where
you can authorize users to access Salesforce using Security Verify. For now, you will simply
authorize all users.

1. Select the option Automatic access for all users and groups.

2. Click Save.

Salesforce: Enable single sign-on

In addition to creating a single sign-on definition, federated single sign-on must be globally
enabled.

1. If not already there, authenticate to your Salesforce instance as an administrator.

2. Expand Identity in the explorer bar and select Single Sign-On Settings.

3. Click Edit.

Page 35 of 67
4. Select the SAML Enabled checkbox and click Save.

Salesforce: Create a user

You need to create a user in Salesforce for your end user, Suraj.

1. Expand the Users section of the Salesforce setup menu and select Users from within the
section.

2. Click New User to open the new user screen.

3. Enter details for the user Suraj. The most important parameter is the Username which must
match Suraj’s username in Security Verify because that how identity mapping is configured by
default.

Page 36 of 67
4. Set the User License to Force.com – Free and Profile to Force.com – Free User. Use details of
the user you created in Verify SaaS to populate the form details.

5. Scroll to the bottom of the panel.

6. Clear the checkbox for Generate new password and notify user immediately. We do not need
Suraj to receive a password from Salesforce because she will only access using Security Verify.

7. Click Save.

You have successfully configured Single Sign-On from Security Verify to Salesforce and
created a user account that can be used for testing.

Page 37 of 67
Exercise 5 USE CASE: SaaS access from
Employee Launchpad
You have now completed the configuration required to show a working employee SaaS access
scenario using IBM Security Verify.

Suraj is a new employee who needs access to SaaS services. He has been provisioned with an
account on his company's IBM Security Verify tenant and on an external SaaS service. He has
been sent an e-mail with his user name and a temporary password.

Initial login to Security Verify

1. Open a fresh browser window that is not logged in to Security Verify or Salesforce.

2. Find the Security Verify user account creation e-mail for Suraj in your inbox.

3. Make a note of the temporary password (or copy to clipboard).

4. Click on the link in the e-mail to go to the Security Verify Launchpad.

Page 38 of 67
5. Enter the username and temporary password for Suraj and click Sign In.

You will see later how to modify the end user Identity Source configuration so the "Sign-
in with IBMid" link is not shown to end users.

The current (initial) password is expired so the password change window is shown.

6. Enter a new password for Suraj and click Change Password.

You are presented with the Employee Launchpad. You should see links for Salesforce. If not,
check the entitlements for the application.

Page 39 of 67
Click-through to SaaS application
Suraj can see the SaaS applications to which he is entitled and can click on any of them for
seamless access.

1. Click one of the Salesforce links on the Launchpad.

You will be taken to Salesforce and logged in as Suraj.

2. Click on the user name at the top-right of the screen and select Logout from the menu.

Suraj is logged out of Salesforce and, because of the Logout URL you specified during configuration,
he is also signed out of Security Verify.

Page 40 of 67
You have successfully shown seamless SaaS application access from the Security Verify
Employee Launchpad

Page 41 of 67
Exercise 6: Modify Sign-in Options
You may have noticed that the End User Login page displays a link for Sign-in with IBMid. This is
because the IBMid Identity Source is currently enabled for end users (in addition to the Cloud
Directory). This choice can be removed by disabling the IBMid Identity Source for end users.

1. Access the IBM Security Verify Admin Console as your administrator. Your URL has the form:
https://<yourtenantid>.verify.ibm.com/ui/admin

2. Open the menu using the burger icon (1) and select Security (2).

Page 42 of 67
Page 43 of 67
3. Select the Sign-in options tab (1). Clink on the dots for IBMid (2) and click Edit sign in options
(3).

4. Clear the check-box for Show for end users (1) and click Save (2).

This setting means that the choice for IBMid will not be shown when the Security Verify end user
URLs are accessed.

In order to login using IBMid, which is needed to login as your administrative user, you will now
have to use the administrative access URL: https://<yourtenantid>.verify.ibm.com/ui/admin

Preventing an identity source from showing does not prevent users from using that
identity source if they use a direct URL to trigger it. To completely disable an identity
source, it must be disabled in the Identity Source configuration. Be careful with this
option or you could lock yourself out.

Page 44 of 67
5. Check the change that you just made.

a. In a new browser, access https://<yourtenantid>.verify.ibm.com.

The login page you see will NOT show the option to sign in with IBMid.

b. Now access https://<yourtenantid>.verify.ibm.com/ui/admin.

You will be taken directly to the IBMid login page.

Page 45 of 67
Exercise 7: Enable seamless SaaS access
for deep linking
In the previous use-case, employees accessed SaaS services using a central Launchpad.

Employees might also access SaaS services by going directly to the SaaS web site or by clicking on
a link to a particular resource held in the SaaS service, which they receive in an e-mail or find on a
collaboration platform. This is called "Deep Linking" (or "Service Provider-initiated SSO") and
requires that the SaaS Service send the user back to IBM Security Verify for authentication.

IBM Security Verify supports Deep Linking.

Configure 3rd party SaaS for service-provider

initiated SSO
To enable SP-initiated SSO, you must change the authentication configuration for your Salesforce
domain.

1. Go to https://login.salesforce.com and log in with your administrator user.

2. Expand Company Settings and select My Domain. Scroll down and click Edit next to
Authentication Configuration.

Page 46 of 67
3. Clear the check-box for Login Form and enable the check-box for your SAML definition.

4. Click Save.

This configuration means that whenever a user attempts to access your Salesforce domain
they will be immediately redirected to your IBM Security Verify tenant for authentication.
If more than one option is selected here, users will see an options screen rather than
seamless SSO. If you need to access your domain as a user that is not defined in Security
Verify, an administrator for example, go to https://login.salesforce.com and authenticate
there instead.

Page 47 of 67
Exercise 8 USE CASE: SaaS access using
deep linking
Suraj receives an e-mail from a colleague. The e-mail includes a link to a new chat function which
is hosted on a SaaS application that Suraj usually accesses from her Employee Launchpad. He
clicks on the link hoping that the system will take him where he wants to go.

1. Log out of Salesforce or open a new browser and enter the link:
https://<your-salesforce-domain>.my.salesforce.com/_ui/core/chatter/ui/ChatterPage

Rather than presenting its own login page, the SaaS service redirects Suraj to his company's IBM
Security Verify tenant to authenticate.

2. Suraj is familiar with authenticating to IBM Security Verify. Enter Suraj’s credentials.

Security Verify authenticates Suraj and then initiates a seamless login to the SaaS service that
requested single sign-on. Security Verify includes an instruction to forward him to the page he
wanted once he is logged in.

Suraj gets seamless access to the resource he wanted.

3. Click on the user name at the top-right of the screen and select Logout from the menu.

Suraj is logged out of Salesforce and, because of the Custom Logout URL you specified during
configuration, he is also signed out of Security Verify.

You have successfully shown Service Provider initiated SSO with Deep Linking.

Page 48 of 67
Exercise 9 USE CASE: Control application
access with entitlements
When an application is configured in IBM Security Verify, the users and groups who are entitled to
connect to that application must be specified as part of the application definition.

Correctly setting entitlements is important for two reasons:

User Experience: When you access the Security Verify Security Verify launchpad, only the
applications to which you are entitled are shown to you. Entitlements should be set up so
that you do not see applications which you cannot use; it is not a good user experience to
click on an application link only to receive an error.

Security: Entitlements can be used to limit application access to specific users. Security
Verify will only generate Single Sign-On assertions for users who are entitled to access the
requested target application.

Modify entitlements
When you created the Salesforce application definition, you chose the simplest option which was
to check the All users are entitled to this application checkbox. This means that all users, even
those who do not have Salesforce accounts, will see the Salesforce icons on their Launchpad.

You will now change the entitlements to limit visibility and access to Salesforce using Security
Verify.

1. Sign in to your Security Verify tenant as your administrator user. You will need to use the Admin
Access URL directly to use the IBMid Identity Source. Your Admin Access URL has the form:
https://<yourtenantid>.verify.ibm.com/ui/admin

2. Enter your IBMid and click Continue.

3. Complete the sign-in process. Your Security Verify administrator dashboard is displayed.

4. Click the person icon in the top-right of the page and select My Homepage from the drop-down
menu.

Page 49 of 67
This opens the end-user launchpad for your administrator user.

5. Click on the Salesforce Sales Cloud link (this is going to fail).

A new browser tab is opened with an error message:

Page 50 of 67
You see this error message because your Security Verify admin user does not have an account in
your Salesforce tenant. You need to change entitlements so that this user does not see Salesforce
on their Security Verify Launchpad.

6. Close the browser tab with the error message to return to the Security Verify Launchpad.

A Security Verify administrator can access the administration pages from the launchpad.

7. Click on the profile icon in the top-right of the page and select Admin Console from the drop-
down menu.

8. Open the menu using the burger icon and select Applications.

9. Click the edit icon for the Salesforce application definition.

Page 51 of 67
10. Select the Entitlements tab (1).

11. Choose Select users and groups, and assign individual accesses (2).

12. To add specific entitlements, click Add (which has now appeared) (3).

The User/Group selector is shown. Although it is possible to add individual users here,
entitlements are usually managed by group.

13. Enter Sales (1) in the search box, select Sales from the Matching Items list (2) and click
Add (3).

The Sales group is added to Selected Items.

14. Click OK (4).

Page 52 of 67
The new entitlements are now shown.

15. To save them to the application definition, click Save.

The Date assigned column is completed with the current date. Also, you can click on the row to
see who assigned the entitlement under Details. The entitlement can also be deleted here.

Test entitlements
You will now test that only users in the Sales group (for example, Suraj) can see the Salesforce
application in their Dashboard and use Security Verify to log in to Salesforce.

Check visibility in Launchpad

First, verify that your administrative user (who is not in the Sales group) is no longer shown the
Salesforce applications on their dashboard.

Page 53 of 67
1. Click the person icon at the top-right of the page and click My Homepage from the drop-down
menu.

The Launchpad displays, and Salesforce is no longer shown for this user.

Page 54 of 67
Check direct access
Now, make sure that this user is not able to access Salesforce by attempting to use a direct link.

1. In a new browser tab, navigate to your Salesforce domain. The URL has the format:
https://<salesforce domain>.my.salesforce.com

Recall that you configured the Salesforce domain for automatic login using your Security Verify
tenant. You are already authenticated to Security Verify as the administrative user, so when the
request for login is received, the following message is shown:

As expected, the configured entitlements in Security Verify do not permit access to Salesforce
for this user.

2. To return to the Security Verify launchpad, close the tab showing the error page, and then Sign
Out.

Test entitled user access

Now you will verify that an entitled user (Suraj, who is a member of the Sales group) can still
access Salesforce using Security Verify.

1. Navigate to https://<yourtenantid>.verify.ibm.com.

2. Login as [email protected]

Page 55 of 67
Suraj can see the Salesforce tiles and, if he clicks on one, can successfully access Salesforce.

3. Sign Out of Security Verify.

You have successfully managed application access with entitlements.

Page 56 of 67
Exercise 10 USE CASE: Delegating
entitlement management
In many cases, it is useful to delegate the ability to control which users have access to a SaaS
application to a business owner.

Without delegation, only your administrative user can manage your Security Verify tenant. You
could, of course, grant other users administrative access but this would give them full control. You
will now set up a user as an application owner, giving them permission to manage entitlements for
Salesforce application access.

Specify an application owner

1. Access the IBM Security Verify Admin Console as your administrator. Your URL has the form:
https://<yourtenantid>.verify.ibm.com/ui/admin

2. In the administration console, open the menu using the burger icon and select Applications.

3. Click the edit icon for the Salesforce application definition.

Page 57 of 67
Currently there is no application owner defined.

4. Click Add Owner.

5. Enter Suraj in the search box.

6. Select Suraj Kanth from Matching Users and click OK.

Page 58 of 67
7. To save the updated application definition, click Save.

When a user is specified as the owner of an application, they are automatically added to
the application owners group in the Cloud Registry. They can access the Switch to admin
link from the Launchpad to manage applications they own. If you like, you can check that
Suraj has been added to this group (under Users and Groups).

8. Sign Out of Security Verify.

Login as Application Owner

1. Return to the Security Verify login page.

2. Enter the username and password for Suraj and click Sign In.

Access administration pages from Launchpad

As an application owner, Suraj can manage entitlements. To do this, Suraj has access to a
restricted administration console.

1. Click the profile (SK) icon in the top-right of the screen and select Switch to admin from
the pop-up menu.
Note: Suraj did not have this option before and was assigned after adding as an application
owner.

Page 59 of 67
Suraj is the application owner for Salesforce, so he sees it listed under Applications.

2. Select the Salesforce row. Notice that you can see the current entitlements in the Entitlements
Summary.

3. Click the Settings icon.

4. To add a new user or group to the entitlement, click Add.

5. You can add the Verify admin account for testing.

6. Explore the other items Suraj has access to as an Application Owner. You'll see that he can
create new users (who he could then entitle for his applications). He can't add groups or add
users to groups though. He can also create recertification campaigns for applications he owns,
and view tokens and consents associated with OIDC applications that he owns. These are
beyond the scope of this cookbook.

Page 60 of 67
7. To return to the launchpad, click the person icon in the top-right of the screen and select
Switch to launchpad from the pop-up menu.

8. Click a Salesforce Link. Suraj is logged into Salesforce as the administrative user.

9. Click the user icon at the top-right of the page to see the logged in user.

10. To log out of Salesforce and Security Verify, click Log Out.

You have successfully shown delegated entitlement management

Page 61 of 67
Exercise 11: Application bookmarks
The Security Verify Launchpad contains links to all of the web sites that employees use. This might
include sites that do not use (or do not support) SAML or OpenID Connect for single sign-on. For
these sites, it is possible to add a simple bookmark to the Launchpad that sends the user to a
configured URL.

When a user accesses an application using a bookmark, there is no single sign-on

functionality provided by Security Verify. However, if the user is accessing Security
Verify using an on-premise Identity Provider (for example IBM Security Verify Access)
then this might provide Single Sign-On to the application.

Add a bookmark
You will now add an application bookmark for the IBM Security homepage on IBM.COM.

1. A custom application can have a custom icon. Navigate to the following URL:
http://ibm.biz/BdjWmD and download the IBM Security logo image, ibmsecurityicon.png.

2. Access the IBM Security Verify Admin Console as your administrator. Your URL has the form:
https://<yourtenantid>.verify.ibm.com/ui/admin

3. Authenticate using your IBMid.

4. In the administration console, open the menu using the burger icon and select Applications.

5. To add a new application, click Add.

Page 62 of 67
6. Select the checkbox for Custom Application, and then click Add application.

7. Enter IBM Security in the top text box. This is the title that will be displayed to users on the
Launchpad tile.

8. Enter a Description and Company Name.

Page 63 of 67
9. Select the Sign-on tab (1).

10. For the Sign-on Method, select Application Bookmark (2).

11. For the Bookmark URL, enter https://www.ibm.com/security (3).

Note that Open ID Connect 1.0 is also listed as a sign-on method. This is a new single
sign-on standard which is being adopted by some SaaS providers and can be supported
by Security Verify for single sign-on to SaaS services.

12. To change the application icon, click the camera icon.

Page 64 of 67
13. Click the upload instruction box and select the ibmsecurityicon.png file you downloaded at
the start of this exercise. You can also drag-and-drop the file into the box. A preview is shown.

14. Click OK.

The image now appears on the application page:

15. On the Account lifecycle tab, Disable Provision accounts and Deprovision accounts.

16. Click Save.

Page 65 of 67
Saving the new application opens the Entitlements tab:

17. Click the option for Automatic access for all users and groups.

18. To save the updated application definition, click Save.

Entitlements can be used to limit which users will see the application bookmark on their
Security Verify Launchpad, but they cannot stop users from accessing applications
directly. Access control will need to be provided by the application itself, or by an on-
premise access management system, such as IBM Security Verify Access.

Test the bookmark

1. Click the Person icon in the top-right of the page and select Switch to launchpad from the
drop-down list.

Page 66 of 67
This opens the Launchpad and displays the new application tile:

2. Click the IBM Security application tile. The IBM Security web site opens in a new browser tab.

3. Close the new tab to return to the Launchpad.

You have successfully configured and used an Application Bookmark.

This concludes the exercises in this cookbook.

Page 67 of 67